Closed ya-mouse closed 3 years ago
On a normal system bus configuration, claiming names and sending method-calls is not allowed. Service-configurations need to punch holes into the policy, to allow individual names/calls. If that is not the case on your system, I would suspect there is some policy installed which incorrectly opens up those names.
Yeah, the system-wide policy file stated the same, but doesn't work:
https://github.com/freedesktop/dbus/blob/dbus-1.12.20/bus/system.conf.in#L48-L51
(That the right package version supplied by Yocto).
All the policy files in /usr/share/dbus-1/system.d/
as well as /etc/dbus-1/system.d/
might (incorrectly) open this up. Can you grep through them for own=
lines, or check whether there are any left-over files not part of your system install?
Lastly, there is also /etc/dbus-1/system-local.conf
and possible <include...>
lines in any of the included files.
Yeah, you're right, there is a file /etc/dbus-1/system.d/org.openbmc.conf:
<busconfig>
<policy context="default">
<allow own="*"/>
<allow send_destination="*"/>
</policy>
</busconfig>
Thanks a lot!
I'm trying to stick bus name owning to a specific user, but even with default
<deny own="*"/>
(defined in /usr/share/dbus-1/system.conf) the following config doesn't disallow to request a bus name:Any even non-root processes will able to request a bus name. What have I missing?
The daemon code: https://github.com/openbmc/phosphor-host-ipmid/blob/master/ipmid-new.cpp#L877